The Trojan responsible for stealing more than 1.6 million personal records from Monster.com uses that information to build targeted spam that offers recipients lucrative, but illegal, money laundering jobs, effectively turning some victims into criminal accomplices, said Symantec Corp. today.
Monster.com, meanwhile, said today it had shut down the server used to store the stolen resume information.
Earlier this week, Symantec fingered Infostealer.Monstres for using stolen Monster.com log-ons to run automated searches that have collected information on hundreds of thousands who have posted their resumes on the job search site.
Criminals then used the stolen names, e-mail addresses, home address, phone numbers and resume identification numbers to create convincing e-mail messages that contained malicious code. Some of those messages included Banker.c, a password-stealing Trojan horse that monitored the infected PC for log-ons to online banking accounts. When it sniffed a log-on in process, Banker.c recorded the username and password, then transmitted the data back to the hacker server that Monster.com shuttered today.
But Monstres is also equipped to recruit criminal collaborators, said Vikram Thakur, another Symantec researcher, in a post to the company's blog. By pinging the now-offline server, the Trojan could download several e-mail templates used to churn out a variety of messages touting a get-rich-quick scheme.
"The templates [we] acquired all point to the same position," said Thakur. "The job is that of a 'Transfer Manager' at an investment company. The job description states that the position would entail facilitating financial transactions made by the clients of the investment company."
"What we offer you is something more than just a job -- it's the opportunity to earn really big money without having to work much," read one of the templates, which plugged in the stolen Monster.com information to personalize the e-mail, and legitimize the message. "This job is not a full-time one -- you can work from 9 to 5 at some other place and use our service as a source of extra cash -- a lot of extra cash we should say," the same e-mail continued.
Among the job requirements, said the messages, were a new checking account with Bank of America. "We will require your bank account information from the newly opened account, needed only to forward wire transfers from your account."
Although the job offer didn't spell it out in so many words, it's clear that the work involves cleaning out accounts of phishing victims, possibly the very ones hit by the Banker.c Trojan. "Your task will be to process payments between our company and our clients with the bank checks using remote Internet operations," read one of the e-mailed job offers. "In each payment order there will be detailed instructions for you. It is a commission based position. We guarantee you will get about 10% from each processed payment."
Payments must be made via Western Union, a dead giveaway that the job is illegal; cybercriminals typically use Western Union wire transfers to move money from compromised bank accounts to their own offshore accounts.
Bank of America customers in the line of fire?
Although these job offers use the title "transfer manager," the more descriptive "mule" or "money mule" is more appropriate. Mules are essential middlemen in the phishing scheme, since most legitimate banking sites block international electronic transfers. Instead, the criminals first transfer funds from the compromised account to the mule's, who in turn withdraws money from his account to pay for the Western Union wire transfers, which are then sent to an overseas recipient.
The Bank of America requirement in the job description indicates that the pilfered accounts will be from Bank of America customers, since mules commonly use accounts at the same bank as the phishing victims. Other templates, if found, may well reveal efforts targeting other financial institutions. Banker.c, for instance, is known to seek out Bank of America accounts as well as those for German subsidiaries of Citibank.
"There are several other things which should raise flags," said Symantec's Thakur, "from how money would be transferred, what denominations the transactions have to happen in, to the fact that the company's Web site states that it is located in Russia while the hosting is in Ukraine."
Monster.com's security page warns users of money mule jobs like those generated by Monstres. Calling the job offers "a recurring issue," Monster warned users to not respond to such messages, and if they receive one, to contact the company. "If you have already responded to the email, or are involved with any financial transactions related to this email, we recommend that you contact your local law enforcement authorities immediately," Monster continued.
The company also announced today that it had found the hacker-controlled server used to store the resume data ripped off by Infostealer.Monstres. "Monster has identified and shut down a rogue server that was accessing seeker contact information through unauthorized use of compromised legitimate employer-client log-in credentials," Monster.com said today in a statement. "The Company is currently analyzing the number of job seeker contacts impacted by this action and will be communicating with those affected as appropriate."